Opened 12 years ago
Closed 12 years ago
#10689 closed defect (invalid)
Realm not being used for password hash?
| Reported by: | james | Owned by: | Steffen Hoffmann |
|---|---|---|---|
| Priority: | low | Component: | AccountManagerPlugin |
| Severity: | normal | Keywords: | needinfo SessionStore |
| Cc: | Ryan J Ollos | Trac Release: | 0.11 |
Description (last modified by )
As a test I set the password of my user (james) through the account settings on trac to 'helloworld'. In the database this set the password to ':f4a19cee25aae3fe30d7a319fb7c5144'
I can reproduce this hash like so:
echo -n james::helloworld | md5 f4a19cee25aae3fe30d7a319fb7c5144
However I thought trac would use the realm set in trac.ini to essentially do this:
echo -n james:TracDB:helloworld | md5 8c41eb73b4e4d22f173b2a302d52dfdd
I'm obviously missing something, can anyone see what is it? Here are my account manager settings:
[account-manager] account_changes_notify_addresses = hash_method = HtDigestHashMethod db_htdigest_realm = TracDB password_store = SessionStore login_attempt_max_count = 3 user_lock_time = 30 user_lock_time_progression = 1 [components] acct_mgr.guard.accountguard = enabled acct_mgr.admin.accountmanageradminpages = enabled acct_mgr.api.accountmanager = enabled acct_mgr.db.sessionstore = enabled acct_mgr.htfile.htdigeststore = enabled acct_mgr.notification.accountchangelistener = enabled acct_mgr.notification.accountchangenotificationadminpage = enabled acct_mgr.pwhash.htdigesthashmethod = enabled acct_mgr.web_ui.accountmodule = enabled acct_mgr.web_ui.emailverificationmodule = enabled acct_mgr.web_ui.loginmodule = enabled acct_mgr.web_ui.registrationmodule = disabled acct_mgr.web_ui.resetpwstore = disabled trac.web.auth.loginmodule = disabled tracopt.versioncontrol.git.* = enabled
Attachments (0)
Change History (4)
comment:1 Changed 12 years ago by
| Description: | modified (diff) |
|---|---|
| Keywords: | SessionStore added |
comment:2 Changed 12 years ago by
| Cc: | Ryan J Ollos added; anonymous removed |
|---|---|
| Keywords: | needinfo added |
| Trac Release: | 1.0 → 0.11 |
What AcctMgr version are you testing?
Your configuration looks like a mix of
- acct_mgr-0.3 (
acct_mgr.web_ui.emailverificationmodule) and - acct_mgr-0.4 (
db_htdigest_realm).
And from your example hash entry :f4a19cee25aae3fe30d7a319fb7c5144 you can see, that the db_htdigest_realm option is ineffective in your particular setup. So most probably you're running acct_mgr-0.3.x with some options meant for the current plugin version 0.4, and should clean-up and upgrade before going on.
With unit tests for SessionStore in place even for the old-stable plugin version you should be able to verify, that is works as expected with acct_mgr.tests.db.HtDigestTestCase.
Side-note: On our ticket creation page you've been advised to prefer the mailing-list for local installation/configuration issues. Honestly, its a big red box in the top of the page. But still you stepped into the development tracking system, that is not meant for general user support. Just assuming software issues here is not a nice play. Would you be so kind as to take care a little more next time, please? Thanks.
comment:3 Changed 12 years ago by
| Priority: | normal → low |
|---|
Despite of knowing about a possibly weak configuration, and without trying to get support from the mailing-list first, you suggested a software issue by creating a bug report here.
As you see, we do still care, but demand interaction and response from reporter's side in return.
comment:4 Changed 12 years ago by
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
If you're rather clue-less, please test recent development code from trunk branch, and make sure to go for acct_mgr-0.5 as soon as it has been released.
This should really help for getting a working Trac authentication configuration for both use cases, with AccountManager's login HTML form or HTTP authentication driven by the web-server and its password file optionally managed by AccountManager in turn. For additional hints see #8930.
reformatting for readability